Can we enable CC on non-TDX/SEV server?

[shumeigiku]

Hi all,

I install H100 on a general server (without TDX/SEV). On this server, we only want to test the computing performance on CC mode (I mean, what is the time cost when executing GPU tasks on H100's confidential environment). We do not consider attestation or other security guarantees.

But when we enable CC, the nvidia-smi cannot find the GPU. Also, it seems that our CUDA can be executed, but we are not sure whether it is running in a confidential environment (maybe a special GPU memory). Also, we do not know which CC steps we bypass during the computing.

So, I have 2 questions here:

1. In CC mode + non-TDX/SEV server, can we allow the Host GPU driver to access the H100 GPU (I mean, make the H100 think it is in a confidential VM) and require the H100 to execute tasks in a confidential environment?
2. If yes, what steps must/may be bypassed in the native confidential computing workflow (e.g., attestation?) ? How do we configure the kernel driver to achieve this?

Could you please give me some advice?

[moconnor725]

Unfortunately, there is no way to simulate or otherwise fake confidential computing mode. The CPU initiates the trusted environment and then it is extended to include the GPU.

You cannot make the H100 think it is in a confidential VM

[Tan-YiFan]

You can let H100 run in CC mode with a non-TDX/SEV VM. Set the variables related to cc_enabled to 1 in https://github.com/NVIDIA/open-gpu-kernel-modules/blob/545.29.03/kernel-open/nvidia/nv.c#L282-L300, and then compile and install the kernel driver. This function is where Nvidia driver detects whether the VM is CVM.

A VM is probably required at least. Running CC in the host is prohibited.